Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60824
Return-Path: <peter.e.lind@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83394 invoked from network); 14 Jun 2012 13:28:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jun 2012 13:28:01 -0000
Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender)
X-PHP-List-Original-Sender: peter.e.lind@gmail.com
X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com  
Received: from [209.85.213.170] ([209.85.213.170:52206] helo=mail-yx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 33/96-39100-0E6E9DF4 for <internals@lists.php.net>; Thu, 14 Jun 2012 09:28:01 -0400
Received: by yenl12 with SMTP id l12so993063yen.29
        for <internals@lists.php.net>; Thu, 14 Jun 2012 06:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=A87bdLLD64QeR9YTRVMQC44GkSF+l2rPvKpoONRRKeM=;
        b=QQYUjiENlK434ZbbaJmkIXdTGnNGU/NzpWdVbFQnLmNW9TW1AzvUyw19kOBJwVW45A
         APhTlrzaO5aWdGZr1lLmmX6z86/SWRLuXEuTwb2hgzeMCywQe2Ws0OEnyueRr3pUVp0R
         POgoss7QT7ZmLdbCfbYzsiwTHbzfonb1ibbBP+0xp+GQLCctCW4syiBawJkY1lFomayA
         F6YSW4Nv3zTT6etcHavPXhbVgfwjQYou8jc/O7EZ2pV5WFxJ8E0nzt0DSCAxJMbHMnRY
         UlDJDK84uocY9Gz+xKax1pBSAGOA5y0UeiMqYczT+ZfEx2iOhiNirpsja1q3xf96h9wD
         M8dA==
Received: by 10.60.1.37 with SMTP id 5mr1841434oej.10.1339680477787; Thu, 14
 Jun 2012 06:27:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.27.169 with HTTP; Thu, 14 Jun 2012 06:27:37 -0700 (PDT)
In-Reply-To: <CAAyV7nGJRGO9tu_UKsO+nVAp5Ks_HTsGCU+4TF2i7MeJmvkSrw@mail.gmail.com>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com>
 <CA+yzxZhx9YVarc7dYJYf5LPnTxR6eR3RYa43QsgFOe+DCw7t-Q@mail.gmail.com> <CAAyV7nGJRGO9tu_UKsO+nVAp5Ks_HTsGCU+4TF2i7MeJmvkSrw@mail.gmail.com>
Date: Thu, 14 Jun 2012 15:27:37 +0200
Message-ID: <CAEU6NAdCUBxtrJkXuOAkKWn2j1eASkUeaXQmXZW7H91yKP7+Cg@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: peter.e.lind@gmail.com (Peter Lind)

* snip*

>> Stas has the right approach, not only should the methods be simplified and
>> platform/algorithm agnostic but have a proper salt built in (there are a
>> few CSPRNG implementations around), I've seen salts used from numbers to
>> md5's to just being skipped altogether.
>
> Well, just to be clear, a salt does not need a CSPRNG. All it needs to
> be is reasonably unique. In fact, I wouldn't make it CS, as that would
> deplete the available entropy in the system for CSPRNG generation.

Whether or not a CSPRNG is needed depends on what you're doing, your
needed level of security. Perhaps add a parameter to control this, so
it would be possible to make use of this function even if you need the
maximum level of security? If it's not available, the function should
fail in some suitable fashion.

*snip*

> Or, we could implement a system like I did in
> https://github.com/ircmaxell/PHP-CryptLib/tree/master/lib/CryptLib/Random
> that follows RFC4086: http://tools.ietf.org/html/rfc4086#section-5.2
> Where it mixes together several sources of weak and moderate strength
> PRNG...

Will the entropy multiply by mixing sources? I.e. will the result be
"more random"? Won't it just be as random as the most random source?

Other than that, the SPL version seems like a nice idea.

Regards
Peter

-- 
<hype>
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
</hype>